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(U//FOUO) OSN Overview 




(S//SI//RELTO USA, 
FVEY) OSN Selectors 
are usually invisible to 
the user and are only 
used internally. 
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(U)Fanbox 
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(TS//SI//RELTO USA, FVEY) Suppose you 
sign up for Fanbox with the address 
terror.bomber@live.com, and you also 
sign up for Fanbox email. 



(TS//SI//REL TO USA. FVEY) Hers's what your 
identifiers will look like: 

. (TS//SI//REL TO USA. FVEY) Usemame: 

terrorbomber378691 622 

. (TS//SI//REL TO USA, FVEY) Userld: 

217440283 

. (TS//SI//REL TO USA, FVEY) Email: 
terrorbomber@fanbox.com (if it's 
available) 

. (TS//SI//REL TO USA, FVEY) Email: 

terrorbomber18246@fanbox.com (if 
the above address is already taken) 

. (TS//SI//REL TO USA. FVEY) Note that if 

your sign up email address already 
exists as a Fanbox email address, 
Fanbox will simply append a few 
random digits to make it a unique 
Fanbox email address. 
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What intelligence do OSN’s 

provide to the 1C? 

* (S//SI//REL TO USA, FVEY) Insight into the personal 

lives of targets MAY include: 

■ (U) Communications 

■ (U) Day to Day activities 

■ (U) Contacts and sociai networks 

■ (U) Photographs 

■ (U) Videos 

■ (U) Personnel information (e.g. Addresses, Phone, 
Email addresses) 

■ (U) Location and Travel Information 
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(U) Popular Online Social Networks as of 2007 





be bo 

blogger 

cyworld 




fa cobook 

fotolog 

friendster 




hiS 

tivGjournal 

myspace 




orkut 

skyblog 

studtverzeichnts 



unkJentified 
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(U)Popular Online Social Networks as of October 2008 




Bab} 

Cb0b(IR] 

C 7 V^^ld (S Korea) 

Draiipemlv 

F^c^book 

F3C39.iidilnpuljg.bg 
Frlands:er 
G^oie {PL) 

Mi-5 

Hyves ('JL) 
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Lidfl (:;i) 
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cygge^tion?, 
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myspace.com, 

a place Jor friends 



®Gbo 




(TS//SI//REL TO USA, FVEY) CT 

Targets have been 
observed using more 
than 50+ OSNs as of 



late 2008 






facebook 



NCTU>6 






kmtm 
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(TS//SI//REL TO USA, FVEY) Types of OSN 

Activity 

(TS//SI//REL TO USA, FVEY) Type I: Operational Communication 

(TS//SI//REL TO USA, FVEY) Type II: Technological Operational Communication 

(TS//SI//REL TO USA, FVEY) Type: III: Extremist/ Propaganda OSN Users (Overt) 

(TS//SI//REL TO USA, FVEY) Type IV: Direct Non-operational OSN Users 

(TS//SI//REL TO USA, FVEY) Type V: Self-Provided Personal Data on OSN 

(TS//SI//REL TO USA, FVEY) Type VI: Close Associate Information or 

Communication (“The Super Sloth Method”) 
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(TS//SI//REL TO USA, FVEY) Types of OSN 

Activity 
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(S//SI//REL TO USA, FVEY) 

OSN Selectors expand SIGDEV opportunities 






> t .rO 




Leverage initial selector seeds to build a better 



picture of the target’s online persona and the 

selectors involved 
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(U) OSN Comms Flow 




(TS//SI//REL TO USA, FVEY) TWO individuals communicating 
seamlessly through at least FOUR independent selectors 
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(TS//SI//REL TO USA, FVEY) 
User Activity Possibie Queries 



User Activity 
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(TS//SI//REL TO USA, FVEY) Pros and 

Cons of User Activity Queries 

Pros: 

Hard Selector query 
Easy to pull/autonnate 

Email Addresses in the Username can lead to new leads 
Cons: 

Only certain OSN’s usernames that can be queried 
No content that doesn’t have a selector associated with it 
No Web-Browsing 
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(TS//SI//RELTO USA, FVEY) 

HTTP Activity and IP Multisearch Queries 



Datetime: 



1 Day 


V 


Start: 


2009-09-23 






00:00 


V 



Content Must Eyist: □ 
Snippet Must Existi □ 



Max Results for a 
Single DB: 

IP Address: 



0 From 
IP Role: 0 To 

0 X-Forwdrded-For 



Sea rch 
Forms 



Clear 



User Activity 

Phone Number Extractor 

Email Addresses 

Extracted Files 

HTTP Activity 

Full Log 

Web ProKy 



HTTP Type: 



Host: 



URL Path: 



URL Args: 



Search Terms: 



Language: 



Active User: 



TDI Type: 



TDI: 




HTTP Activity Queries usually require some other piece of technical 
information to query while leveraging the OSN appIDs to be legally 

compliant 

•IP Address 

•MAC Ad dress 
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(TS//SI//REL TO USA, FVEY) 
Username Queries are preferable 



^^Searth 

■ 1^ Search Wizard 
Classic 

. ^ Multi Search 

^ IP Addresses 
■■ Mac Address 
Username 




Date time: 

Username: 

Domain: 



1 Day 



start: 



2009-0^-2:3 



Content Must E>:ist: D 
Snippet Must Exi St; □ 



Max Results for a 
single DBi 

Search 

Forms 



Clear 



User Activity 
Email Addresses 
0 Full Log 



□ | 



00:00 



Stop I 



2009 - 09-24 



Search For 


Search Value 


@0omain 


Realm 


Subject 


Attribute T^fpe 


Chair 


Attribute Value 


Activity 



username 

username 

username 



email _ad dr ess 
email _ad dr ess 
email address 



•Email address of the user often appears in the “Attribute Value” or other 
fields when looking at OSNs. 
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(TS//SI//REL TO USA, FVEY) 



HTTP Activity Queries 




HTTP Activity Queries usually require some other piece of technical 
information to query while leveraging the OSN appIDs to be legally 

compliant 



•IP Address 
•MAC Address 
•Country of Origin 
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(TS//SI//REL TO USA, FVEY) 

Pros and Cons of HTTP Activity Queries 

Pros: 

OSNs that don’t require login are seen 

Mobile and other technologies may be seen more easily 

Web forms, chat, etc. that may not be collected by normal dictionary selection 
can be seen and saved off 

Cons: 

Traffic Overload - Too many results (GET requests etc.) 

Proxies and network architecture can obfuscate the target’s traffic 
Bad presentation - HTTP activity usually needs to be viewed as code 
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Latitude (IP) 



Longitude (IP) 



Longitude (IP) 



Application Type 



Facebook I Target's Name 



Application Info 



social/ facebooki 



Application 



AppID C+Fingerprints)* ffulltei^itl 



Application Type^ 



"Targel's Twitter |s|ame‘ 



Application Info^ 



sodal/twitter 



Application 



AppID (+ Fingerprints)’*' [ fulltextl 



rField Builder! 
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(S//SI//REL TO USA, FVEY) 
Xkeyscore Server Side Pulls 
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(TS//SI//REL TO USA, FVEY) 

Useful Appids 

Social/* = A great starting point, will show all social traffic on an IP, also an 
efficient way to see the types of OSN are being used in a geographic area, 
region, etc. 

Social/YourOSNHere = Great for IP level targeting etc. 

Social/Facebook/chat/to_server = Possible to see the recepient of a 

target’s chat and the message that was sent 



Social/Facebook/upload/photo = AppID detects the photos being uploaded 

onto Facebook by your target 
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(U) Questions or Comments? 




Emml: DL OSNwg 



Main Page:J!GoOM: 

Otlicr Pages: “(io Faecbook” “(io Tvvklcr” “Cio ()SN_Tigci_Tcam” 
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